#group
#prefix
/^Host\x3A[^\r\n]*/smi
/^User-Agent\x3A[^\r\n]*/smi
/^Content-type/smi
/^Authorization\x3a(\x20*|\x20*\x0D?\x0A\x20+)Basic\x20+/smi
/^X-Mailer\x3A/smi
/^Referer\x3A[^\r\n]*/smi
/^Subject\x3a/smi
/setRequestHeader\x28[^\x29]*(Host|Referer|Content-Length)/smi
/^From\x3A/smi
/(mailto|telnet|news|nntp|snews)\x3A[^\n]*\x25[^\n]*\x22\x2E/smi
/freeIPaddrs.ovpl[^\r\n]*netid=[^\r\n]*/smi
/cdpView.ovpl[^\r\n]*cdpnode=[^\r\n]*/smi
/^Netspy\x20+Version\x20+\d+\x2E\d+\x0D\x0As/smi
/^Host\x3A\x20+www\x2E/smi
/^Content-Length\x3a(\x20*|\x20*\x0D?\x0A\x20+)/smi
/^User\x2DAgent\x3A/smi
/\x2Epdf\x23[^\r\n]+\x3Djavascript\x3A/smi
/Content-Type/smi
/User-Agent\x3a/smi
/filename\x3D\x22[^\r\n]/smi
/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\x20+/smi
/union\x20+select\x20+[^\/\\]+from\s+[^\/\\]+]/smi
/\x3ctitle\x3e/smi
/^[\z617a\z415a]+\x20+\x2F/smi
/^(GET|POST)\x68+[^\n]*?\x2E\x2E/smi
/\x22method\x22\x20*\x3a\x20*\x22/smi
/wp-includes\x2F/smi
/\x2Fnewsurfer4\x2F/smi
/^Cookie\x3a/smi
/GET\x20+[^\x0D\x0A]*\x25[^\x0D\x0A]*\x2E/smi
/^X\x2DMailer\x3A[^\r\n]*/smi
/^Server/smi
/^Connected/smi
/\x2Ftoolbar\x2F/smi
/^\x20*\x28\x20*/smi
/^DmInf\x5E[^\r\n]*/smi
/^Host|3A|[^\r\n]*/smi
/^Host\x3A[^\r\n]+/smi
/^GET\x20+\x2F/smi
/Attach/smi
/^Via\x3A/smi
/body=/smi
/^STOR/smi
/Insta/smi
/<body/smi
/^Ca/smi
/^si/smi
/^To\x3A/smi
/[\z415a\z617a\z3039_\x2f][\z415a\z617a\z3039_\x2f][BFJNRVZdhlptx159]K/smi
/hcp\x3A/smi
/pro/smi
/^Lo/smi
/\x3c\x20*/smi
#infix
/toolbar/smi
/Keylogger/smi
/Software/smi
/search\x2e/smi
/Connect/smi
/der\x2Ecom/smi
/Subject/smi
/Version/smi
/application\x2F/smi
/downloads\x2Emorpheus\x2Ecom/smi
/www\x2Evisit\x2Dtracker\x2Ebiz/smi
/PASSWORD/smi
/String.fromCharCode\x28/smi
/\x2Estarware\x2Ecom/smi
/show\x2enewRooGoo\x2ecom/smi
/Microsoft/smi
/Monitor/smi
/Transfer-Encoding/smi
/malwaredestructor/smi
/\x2Edmcast\x2Ecom/smi
/function/smi
/document/smi
/www\x2Esearch/smi
/ieantivirus\x2Ecom/smi
/SIP\x2F2\x2E0/smi
/Control/smi
/WinInet/smi
/service/smi
/\x2Evirusheat\x2Ecom/smi
/Request/smi
/\x2Eweb-nexus\x2Enet/smi
/www\x2e2-seek\x2ecom/smi
/weather/smi
/^Authorization/smi
/\x2Edudu\x2Ecom/smi
/quicktime/smi
/image\x2fgif/smi
/Trojaner-Info/smi
/snprtz\x7Cdialno/smi
/\x2Ezhongsou\x2Ecom/smi
/<treechildren/smi
/Products/smi
/www\x2Einternet/smi
/\x2Eedonkey\x2Ecom/smi
/overflow/smi
/\x2Eeblocs\x2Ecom/smi
/\x2Ealtnet\x2Ecom/smi
/CYBERsitter/smi
/spywarestop/smi
/^User-Agent/smi
/Information/smi
/cleaner\x2Ecom/smi
/javascript\x3a/smi
/ictiona/smi
/Current/smi
/Manager/smi
/address/smi
/nteractive/smi
/login\x2Ejsp/smi
/name=CIA-/smi
/\x2521\x2521\x2521/smi
/files\x2Ecom/smi
/chinarank/smi
/t\x3C\x2Ftitle\x3E/smi
/horoscope/smi
/image\x2fbmp/smi
/ndex\x2Ejsp/smi
/username/smi
/www\x2ecash/smi
/register/smi
/scan\x2Ecom/smi
/response/smi
/GuardDog/smi
/activity/smi
/www\x2Elook/smi
/contains/smi
/position/smi
/Contact/smi
/Welcome/smi
/Server\x00/smi
/desktop/smi
/enhance/smi
/www\x2Eweb/smi
/tickets/smi
/Updater/smi
/FindNot/smi
/message/smi
/direct\x2E/smi
/Results/smi
/client\x2E/smi
/www\x2Eric/smi
/_FORMAT/smi
/margin\x20/smi
/payload/smi
#engine
/(spray|return_(!i0056)|(!i0093)code|shellcode|retaddr|ret(!i0056)|block|(!i0093)|agent|hspt)/smi
/u\x00n\x00e\x00s\x00c\x00a\x00p\x00e\x00\x20*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)/smi
/(!p0051)cation\x3a(\x20*|\x20*\x0D?\x0A\x20+)*URL\x20*\x3a/smiH
/(!p0002)\x3a(\x20*|\x20*\x0D?\x0A\x20+)(!i0065)/smiH
/^.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/sR
/[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smiH
/(!p0002)\x3a(\x20*|\x20*\x0D?\x0A\x20+)(!i0036)/smiH
/(!p0002)\x20*\x3a(\x20*|\x20*\x0D?\x0A\x20+)(!i0036)/smiH
/(!p0002)\x3a(\x20*|\x20*\x0D?\x0A\x20+)(!i0065)/smi
/(!p0052)IFRAME\x20*[^\x3e]*src=\x22(!i0052)/smi
/(!p0017)\x3A\x20+audio\x2F(x-wav|mpeg|x-midi)/iH
/(!p0002)\x3a(\x20*|\x20*\x0D?\x0A\x20+)text\x2fplain/smiH
/(!p0002)\x20*\x3a(\x20*|\x20*\x0D?\x0A\x20+)image\x2fp?jpe?g/smiH
/\x5B((!i0015) |(!i0015) Press )?I(!i0057) Training\x5D/
/(!p0044)\x20+[^>]*onLoad\x20*=\x20*[\x22\x27]?window\x28\x29/smi
/(!p0002)\x3A\x20*video\x2F(!i0035)/smiH
/(!p0002)\x3A\x20*video\x2F((!i0035)|x-(!i0035))/smiH
/(!p0050)mpt\x28fillmem[^\)]*\x29.*?<body\x20+[^>]*onLoad\x20*=\x20*[\x22\x27]?setTimeout\x28/smi
/(!p0002)\x20*\x3a(\x20*|\x20*\x0D?\x0A\x20+)(!i0036)/smi
/(!p0049)[^\r\n]+uplddrvinfo\x2Ehtm\x3F[^\r\n]*file\x3A/smi
/(!p0016)/smi
/(!p0016)[^\r\n]*(!i0021)\x2E\w+/smi
/\x23EXTM3U.*?udp\x3A\x2F\x2F[^\r\n]*%/smi
/(!p0043)ll(!i0007)\x20*\x29?\x20*\x2E\x20*compareTo/smi
/\x3c[^\x3e]*style\x20*=[^\x3e]*?csstext\x3a/smi
/\x09[\x00\x02\x04\x08][\x06\x08\x10]\x00\x00[\x04\x05\x06]\x00\x01/s
/(mailto|telnet|news|nntp|snews)\x3A%00%00/i
/(!p0009)cmd/i
/(!p0009)bat/i
/[\x00\x01]\x00\x09\x00.*?\xff\xff\xff[\xff\xf7][\x36\x37]\x00/smi
/JBIG2Decode.*?stream(\x0d\x0a|\x0a|\x0d)/smi
/(insertBefore|insertAfter|appendChild)\x28\x20*NULL\x20*\x29/sm
/obj\x3c\x3c.*?\x2fBaseFont\x2f[^\z80ff\x2f]*[\z80ff].*?endobj/s
/window\x2Eopen\x28(\x22[^\x22]+(\x25[^\z3039\z6166]|\x2C)|\x27[^\x27]+(\x25[^\z3039\z6166]|\x2C))/smi
/\x00[\x3b\x7c\x26\x60][^\x00]+\x00airappinstaller\x00ASnative\x00/smi
/(!p0022)[^\x3c]*\x26lt\x3b[^\x3c]*(>|\x26gt\x3b)/i
/(!p0029)distz/smi
/(!p0029)pkg/smi
/(!p0029)mpkg/smi
/^\w+\x20+[^\s]*app\x5fcode(\x255c|\x5c)/i
/\x7b[^\x7d]*((!i0044)[^\x7d]*(!i0092)*\x3a\x20*0\x20*\x3b|(!i0092)*\x3a\x20*0\x20*\x3b[^\x7d]*(!i0044))/si
/AdminServlet.*(userid|adminurl)[^\x26\x20\x0a]*<script/smiU
/(!p0049)\x2f\x2f[^\n]*(\x3c|\x253c)script(\x20|\x2520|\x2f)+defer/iO
/[\x3f\x26]role=[^\x26]*?[^\x26\z617a\z3039\x5b\x5d\x2d]/Usmi
/DecodeParms\x20*\x5B[^\]]*Colors\x20*\d\d\d\d/smi
/(!p0044)[^>]*?(!i0076)[^>]*?inherit[^>]*?-moz-column-(count|width)[^>]*?(!i0021)Element\x2Estyle\x2Eheight[^>]*?/smiR
/\x252e\x252e\x255c[^\s\x2e]*?\x2e\x7B3050F4D8-98B5-11CF-BB82-00AA00BDCE0B\x7d/smi
/(!p0007)[\x22\x27][^\x2c]*[\zA0FF]/smi
/(!p0007).*?(!i0012)/smi
/(!p0052)Marquee[^\x3e]*onstart\x20*\x3D\x20*\x22\x20*(!i0021)\x2e(write|writeln|open)/smi
/[^\n]*?[\x25\x22]\x2E(com|bat|cmd|exe)/Ri
/(!p0002)\x3A\x20*(!i0008)smil/smiH
/(\x51\x10..\x01(\x02|\x00)|\x01(\x02|\x00)..\x51\x10)/smi
/(!i0021)\x2Elocation\x2Ereplace\x20*\x28\x20*(\x22|\x27)[\z617a\z3039]+\x2Eexe\x3F[\z617a\z3039]+\x2Epdf/i
/on(!i0044)\x20*=\x20*(\x22|\x27)\x20*event.target.parentNode.removeChild/smi
/(!i0040).*ordinal=.*(!i0040)/smi
/\x2E[\z415a\d_]+\x20*\x7b\x20*text-decoration[^\x3A]*?\x7d/smi
/<\x21DOCTYPE\x20+[^>]*?SYSTEM[^>]*?>.*?\x2EparseError/smi
/(!p0017)\x3a[^\x10\x13]*real(audio|video)/smiH
/default.idq[^\r\n]*ciRestriction[^\r\n]*script/smi
/\x2F_vti_bin\x2F\x2Edll\x2F(%(0[\z3139]|1[\z3066])|%3f|\x22|\x2a|\x3a|<|>)[\\\/]~[\z3039]/Ui
/CiWebHitsFile=\x2F?([^\r\n\x3b\&]*\x2E\x2E\x2F)?/i
/(!i0033)|3A|\x20*Basic\x20+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi
/\x03create\x20+(aggregate\x20+)*(!i0020)/smi
/DATE(!i0091)\x28\x20*(\x22[^\x22]+\x25[^\x22]*\x22|\x27[^\x27]+\x25[^\x27]*\x27)/smi
/(INSERT|UPDATE)\x20*[\s\w]*((mysql\x2E)?func)[^\r\n]+values\x20*\x28[^\)]+\x2c[\x22\x27][^\x22\x27]*\x2f/i
/\x2Fnotifier\x2F(configINTERNAL\x2Eini)|(update\x2Ecgi)\x3F/Ui
/\x2Fs(earch)?\x2Ephp3?\x3Fsearch\x3D/Ui
/\x2Fxml\x2F(!i0000)\x2F(sports)|(news)|((!i0064)2)|((!i0064))|((!i0032)2)|((!i0032))\x2Ephp/Ui
/^(TC|FT)P\x20+Redirections?\x20+destroyed\x21/smi
/(!p0001)CodeguruBrowser\d+\x2E\d+/smiH
/(!p0000)(!i0090)hfind\x2Ecom/smiH
/(!p0001)Need2Find\x20+Bar/smiH
/(!p0000)click\x2Edotcom(!i0000)\x2Ecom/smiH
/(!p0000)(!i0089)contextual\x2Eesyndicate\x2Ecom/smiH
/(!p0000)www(!i0039)/smiH
/(!p0000)mp3(!i0039)/smiH
/(!p0000)www\x2Edotcom(!i0000)\x2Ecom/smiH
/(!p0001)GirafaClient/smiH
/(!p0001)MGS-Internal-Web-(!i0055)/smiH
/(!p0000)www\x2Ebuscandoamigos\x2Ecom/smiH
/(!p0001)xpsp2-\d+.*Host\x3A[^\r\n]*lifeisfine\x2Eorg/smiH
/(!p0000)www\x2EZSearch(!i0088)\x2Ecom/smiH
/(!p0001)(!i0038).*Host\x3A[^\r\n]*linkautomatici\x2Ecom/smiH
/(!p0000)ccecaedbebfcaf\x2Ecom.*?uuid=.*?wv=.*?cargo=.*?check=/smiH
/(!p0005)http\x3A\x2F\x2Fdiscounts\x2Eshopathome\x2Ecom\x2Fframeset\x2Easp\x3F/smiH
/\x2FCU[^\r\n]*\x18\d+\x18True\x18\x16/smi
/^0[^\r\n]*Days[^\r\n]*Hours[^\r\n]*Minutes[^\r\n]*Seconds\x2D[^\r\n]*\x7C\d+\x2D[^\r\n]*\x2D\x7C/smi
/(!p0005)www\x2Ewowokay\x2Ecom/wowokaybar\x2Ephp/smiH
/(!p0000)1\x2Dextreme\x2Ebiz/smiH
/(!p0000)www\x2Ealfa(!i0051)/smiH
/(!p0019)*?\x2D\d+\x5F\d+\x5F\d+\x2D\d+\x5F\d+\x5F\d+\x20+[AP]M\x2Ezip/smi
/(!p0000)www\x2Etopadwarereviews\x2Ecom/smiH
/(!p0004)[^\r\n]*_\d+_ANSMTP_\d+_.*(!i0006)\x3A[^\r\n]*LOG\x20+FILE\x20+(!i0054)\x20+User\x3A/smi
/(!p0000)www\x2Eweepee\x2Ecom/smiH
/(!p0000)badurl\x2Egrandstreeti(!i0057)\x2Ecom/smiH
/(!p0013)emp3fin(!i0005)/smiH
/(!p0000)cache\x2Eeverer\x2Ecom/smiH
/(!p0001)EFError\x20+Internet\x20+(!i0004)ion\x20+Test/smiH
/Hello\x2E\x20+This\x20+letter\x20+(!i0075)\x20+logfile\x20+from/smi
/(!p0000)home(!i0043)/smiH
/(!p0000)files-pl(!i0013)/smiH
/^N\x3aUC\x3a\d+\x2c\d+\x2e\d+\x2e\d+\x2e\d+\x2c/smi
/(!p0000)(!i0000)\x2Ehotblox\x2Ecom/smiH
/(!p0000)name\x2ecnnic\x2ecn/smiH
/(!p0005)as(!i0013)\x2Fdp\x2Fsearch\x3Fx=/smiH
/(!p0005)(!i0031)\x2fsearch/smiH
/(!p0000)(!i0031)/smiH
/(!p0005)www\x2eurlblaze\x2enet.*Host\x3A[^\r\n]*www\x2Epeer2mail\x2Ecom/smiH
/(!p0008)\x20+\x22ProAgent\x20+v\d+\x2E\d+\x22/smi
/(!p0000)dl(!i0030)/smiH
/(!p0000)stech(!i0030)/smiH
/(!p0000)(!i0042)-optimizer\x2Ecom/smiH
/(!p0013)smileycentral\x2Ecom/smiH
/(!p0001)NSIS_DOWNLOAD.*Host\x3A[^\r\n]*tb\x2Efreeprod\x2Ecom/smiH
/(!p0008)[^\r\n]*\x3Clogs\x40logs\x2Ecom\x3E/smi
/(!p0001)Visicom\x20+(!i0000)/smiH
/(!p0013)instafin(!i0005)/smiH
/\x23\x23\x23\x23\x20+Fen\xeatre\x20+\x3a[^\r\n]*\x23\x23\x23\x23/smi
/(!p0000)corep(!i0019)/smiH
/(!p0000)dddlogin(!i0034)/smiH
/(!p0000)www\x2Eaccoona\x2Ecom/smiH
/^NETObserve\x20+(!i0029)ed\x20+(!i0050)/smi
/(!p0000)show\x2Eroogoo\x2Ecom/smi
/(!p0000)media\x2Edxc(!i0087)com/smiH
/(!p0000)www\x2Esogou\x2Ecom/smiH
/(!p0000)(!i0090)ercadoppia\x2Ecom/smiH
/(!p0006)[^\r\n]*System\x20+Surveillance\x20+Log/smi
/^\x23\x20+Ghost\x20+(!i0001)\x20+has\x20+started\x2E/smi
/(!p0000)toolsbar\x2Ekuaiso\x2Ecom/smiH
/(!p0000)www\x2Eeasy(!i0086)\x2Enet/smiH
/(!p0008)\xd0\xc5\xcf\xa2.*(!i0006)\x3a[^\r\n]*\d+\x2d\d+\x2d\d+\x2d\d+\x3a\d+\x3a\d+/smi
/(!p0000)ad\x2Emokead\x2Ecom/smiH
/(!p0004)[^\r\n]*mail\x20+(!i0020)/smi
/(!p0006)[^\r\n]*Report[^\r\n]*from[^\r\n]*ChildWebGuardian/smi
/(!p0001)Spy\x2DLocked/smiH
/^SSKC[^\r\n]*v2\x2E0[^\r\n]*Startup[^\r\n]*at/smi
/(!p0028)[^\r\n]*www\x2Esnap\x2Ecom[^\r\n]*(!i0000)_domain_redirect/smiH
/(!p0004)[^\r\n]*Computer(!i0001)\x2Ecom/smi
/(!p0004)[^\r\n]*A-Spy[^\r\n]*Server/smi
/(!p0000)(!i0074)ster\x2Enet/smiH
/(!p0001)Spynova[^\r\n]*(!i0000)/smiH
/^Set-Cookie\x3a[^\r\n]*LastURL\x3dhttp\x3a\x2f\x2fwww\x2e680180\x2enet\x3a80\x2fads\x2f/smiH
/(!p0028)[^\r\n]*source%3Dultrasearch136%26campaign%3Dsnap/smiH
/(!p0000)gpstool\x2eglobaladserver\x2ecom/smiH
/(!p0000)(!i0003)conduit\x2ecom/smiH
/(!p0000)scn\x2emystore(!i0000)\x2ecom/smiH
/(!p0000)\x2epersonalweb\x2ecom/smiH
/(!p0008)[^\r\n]*Digi\x2DWatcher\x2Ecom/smi
/(!p0006)[^\r\n]*Powered\x20+(!i0001)\x20+Logs/smi
/Please\x2C\x20+find\x20+the\x20+log\x20+file\x20+\x28PKL\x29\x20+attached\x20+to\x20+this\x20+e\x2Dmail\x2E/smi
/(!p0039)ment\x20+(!i0075)\x20+Spy\x20+Lantern\x20+(!i0001).*log\x20+file\x2E/smi
/(!p0019)*\x2Eltr\x22/smi
/filename\x20*\x3D\x20*\x22as\x5Freport\x5F[^\x22]+\x2Ezip\x22/smi
/Computer\x20+(!i0016)\x20+by\x20+Lastcomfort/smi
/(!p0019)*akllogs\x2Ezip\x22/smi
/(!p0004)[^\r\n]*Computer\x20+(!i0016)/smi
/(!p0039)ed\x20+\x28ZIP\x20+file\x29\x20+to\x20+this\x20+email\x20+are\x20+the\x20+(!i0073)\x20+logs\x20+that\x20+you\x20+have\x20+(!i0029)ed\x2E/smi
/(!p0030)Chilkat\x20+(!i0002)\x20+Inc/smi
/(!p0022)Email\x20+Spy\x20+(!i0016)\x20+Logging\x20+Repor(!i0063)/smi
/(!p0001)PeoplePal\x20+(!i0007)\x20+Checker/smiH
/(!p0015)[^\r\n]*bar\x2Dget/smiH
/(!p0001)ContraVirusPro/smiH
/(!p0030)(!i0085)\x20+(!i0072)/smi
/(!p0008)[^\r\n]*\x22(!i0085)\x20+(!i0072)\x22/smi
/(!p0001)EliteProtector/smiH
/(!p0001)Dealio\x20+(!i0000)\x20+\d+.\d+/smiH
/(!p0000)www\x2Eeclickz\x2Ecom/smiH
/(!p0000)tbar\x2E(!i0062)\x2Eorg\x2Ecn/smiH
/(!p0000)www\x2Eallcollisions\x2Ecom/smiH
/(!p0000)registrydefender\x2Etechwithyou\x2Ecom/smiH
/(!p0000)dl1(!i0028)/smiH
/(!i0049)\x3a[^\r\n].*(!i0062)\x20+(!i0000)\x29/smiH
/(!p0000)www\x2e(!i0048)\x2ecom/smiH
/(!p0000)www(!i0028)/smiH
/(!p0000)www\x2Eregistrydefen(!i0005)/smiH
/(!p0000)(!i0000)\x2Elocmag\x2Ecom/smiH
/(!p0000)www\x2Efind\x2Efm/smiH
/(!i0006)\x3A[^\r\n]*(!i0047)\x20+Report\x20+for\x3A/smi
/(!p0001)SystemDefender/smiH
/(!p0000)www\x2Esys-(!i0051)/smiH
/(!p0000)theonlybookmark\x2ecom/smi
/(!i0047)\x20+appears\x20+to\x20+be\x20+(!i0020)ing/smi
/(!p0000)www\x2Ewinxdefen(!i0005)/smiH
/(!p0000)safe-strip-download\x2ecom/smi
/(!p0000)(!i0023)/smiH
/(!p0000)live(!i0071)site\x2Ecom/smiH
/^MZKERNEL32\x2eDLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProc(!i0056)/smi
/(!p0001)SpeedRunner/smiH
/(!p0000)(!i0014)/smiH
/(!p0000)(!i0014)/smiH
/(!p0000)directname(!i0027)2008\x2ecom/smiH
/(!p0000)www\x2e(!i0018)\x2ecom/smiH
/(!p0000)intervarioclick\x2ecom/smiH
/(!p0000)rightonadz\x2ebiz/smiH
/(!p0000)(!i0002)referral\x2ecom/smiH
/(!p0000)44\x2e770304123\x2ecn/smiH
/(!p0001)PcPc(!i0084)/smiH
/(!p0000)safewebnavigate2008\x2ecom/smiH
/(!p0000)server\x2e(!i0000)\x2erediff\x2ecom/smiH
/(!p0000)(!i0023)/smi
/(!p0000)www\x2epowersearchtool\x2ecom/smiH
/(!p0000)free\x2Dviru(!i0070)/smi
/(!p0005)http\x3A\x2F\x2Fmtn5\x2Egoole\x2Ews\x2Fac\x2Ephp/smi
/(!p0001)WinSecureDisc/smiH
/(!p0000)a1\x2Emxlivemedia\x2Ecom/smiH
/(!p0001)CPUSH\x5fHOMEPAGE/smiH
/(!p0000)www\x2ebravesentry\x2ecom/smiH
/(!p0000)ads\x2enetbios\x2dlocal\x2ecom/smiH
/url=[^\r\n]*kl\x2E(!i0003)need2find\x2Ecom/Ui
/^S\x3aUsers\x5c\d+\x2cSTATSTimeTotal/smi
/(!p0000)as(!i0013)/smiH
/^HBand,[^\r\n]*,[^\r\n]*,\d+,\d+\x2A\xD5ZBM/smi
/(!p0033)ico\x2F[\z617a\z415a\z3039_%]*\x2Eico/Ui
/(!p0000)searches\x2Eworldtostart\x2Ecom/smiH
/(!p0000)rank\x2E(!i0000)browser\x2Ecom/smiH
/(!p0000)loomcompany\x2Ecom/smiH
/(!p0000)www\x2Epcsentinel(!i0002)\x2Ecom/smiH
/(!p0004)\x20+\xb0\xae\xb6\xf9\xcd\xf8\xb5\xc1/smi
/\x2Fclient\x2F(view|tvlistings|tvshow(!i0083)|movie(!i0083))\x2Easpx/Ui
/(!p0033)(((!i0007)\x2Etxt)|(notify(!i0000)\x2Ehtml))/smi
/(!p0004)[^\r\n]*Eye\x20+Spy\x20+Pro/smi
/(!p0006)[^\r\n]*Beyond\x20+(!i0001)\x20+Report\x2E\x20+Id\x3d\x5b.*\x5d/smi
/(!p0001)FunWeb(!i0041)/smiH
/(!p0022)Actual\x20+Spy\x20+(!i0002)\x20+report\x3C|2F|title\x3E/smi
/(!p0004)[^\r\n]*Computer[^\r\n]*(!i0016)[^\r\n]*(!i0001)/smi
/(!p0000)(!i0082)cruiser\x2Ecc/smiH
/(!p0001)(!i0000).*Host\x3A[^\r\n]*tool\x2Eworld2\x2Ecn/smiH
/(!p0000)ppcdomain\x2Eco\x2Euk/smiH
/(!p0005)(!i0009)\x2Frotation/smiH
/(!p0001)Flashbar[^\r\n]*(!i0000)[^\r\n]*X/smiH
/(!p0001)SecureNet\x20+Xtra/smiH
/(!p0000)www\x2Ebydou\x2Ecom/smiH
/(!p0000)(!i0089)baigoo\x2Ecom/smiH
/(!p0004)[^\r\n]*JMail[^\r\n]*by[^\r\n]*Dimac/smi
/Server\x3a[^\r\n]*WatchDog[^\r\n]*Server/smiH
/(!p0004)[^\r\n]*PC[^\r\n]*Black[^\r\n]*Box/smi
/(!p0038)K\x3F[^\r\n]*\x7C*\x7C*\x7C*\x20+HTTP*/smi
/(!p0000)cs\x2Eshopperreports\x2Ecom/smiH
/\x2F(dist|SupportFiles)\x2F[^\r\n]*\x2Ecompress/Ui
/(!p0001)(!i0038).*Host\x3A[^\r\n]*www\x2Eotherchance\x2Ecom/smiH
/(!p0000)www\x2Ee-finder\x2Ecc/smiH
/(!p0000)(!i0022)adv\x2Ecom/smiH
/(!p0000)www(!i0046)/smiH
/(!p0000)www\x2Emakeme(!i0003)com/smiH
/(!p0000)(!i0009)/smiH
/(!p0001)Peer\x20+Points\x20+(!i0055)/smiH
/(!p0000)pm(!i0046)/smiH
/(!p0001)(!i0000).*?Host\x3A[^\r\n]*(!i0022)ingall\x2Ecom/smiH
/(!p0000)your(!i0081)ment\x2Ecom/smiH
/(!p0000)(!i0042)advertisingcompany\x2Ebiz/smiH
/keyword\x3d[^\r\n]*url\x3d[^\r\n]*www\x252efindthewebsiteyouneed\x252ecom/smi
/(!p0006)[^\r\n]*(!i0073)[^\r\n]*(!i0001)[^\r\n]*Logs/smi
/(!p0000)netguide\x2Egrip\x2Ecom/smiH
/\x2F(word)|(news)|((!i0032))|(joke)|(tip)\x2Easpx\x3F/Ui
/(!p0001)shprrprt-cs-\d+\x2E\d+\x2E\d+/smiH
/(!p0008)\x20+SpyOuTSiDe\x40(!i0054)ChaoS\x2ETk/smi
/(!p0006)\x20+\x5B\d+\x5D\x2D\x20+SpYOuTSiDe\x20+transmission\x20+with\x20+log\x20+\x2D/smi
/(!p0000)enews\x2Eearthlink\x2Enet/smiH
/(!p0042)\x20+\x2E\x2F(kys|scr|Apps|Urls)[\z3039]+\x2Etxt/smi
/(!p0001)(!i0026)\x20+Test/smiH
/^X-OEM\x3A[^\r\n]*iOpus\x20+(!i0002)\x20+GmbH.*X-Sender\x3A[^\r\n]*iOpus\x20+(!i0002)\x20+GmbH/smi
/(!p0001)(!i0015)\x20+URL\x20+(!i0025)/smiH
/(!p0000)www\x2Evip-se\x2Ecom/smiH
/^NICK\x20+\x5E\d+\x5E\d+\x5E\d+\x5E\d+\x5E6633/smi
/(!p0000)www\x2Eoemji\x2Ecom/smiH
/(!p0000)www\x2eanti\x2dvirusxp2008\x2enet/smiH
/(!p0001)Nimo\x20(!i0002)\x20HTTP\x20Retriever/smiH
/(!p0000)superiorads\x2ebiz/smiH
/Report\x20\x40.*name\x3dcheat(!i0016)R\x5fSCREEN\x2eDATETIME/smi
/(!p0000)www\x2efakemailer\x2einfo/smiH
/Host\x3a[^\r\n]*scanner\x2evav\x2dx\x2dscanner\x2ecom/smiH
/(!p0000)www\x2ekamyab-hack\x2ecom/smiH
/(!p0000)www\x2ewinreanimator\x2ecom/smiH
/(!p0000)as\x2e(!i0032)studio\x2ecom/smiH
/(!p0000)ads\x2egooochi\x2ebiz/smiH
/(!p0000)ads\x2etargetedbanner\x2ebiz/smiH
/(!p0000)WinXDefen(!i0005)/smiH
/(!p0000)www(!i0045)/smiH
/Uin=\d+\x26Name=.*?IP-.*?USER-.*?TROJAN-.*?PORT-.*?(!i0011)-.*?OS-.*?WEBCAM-/smi
/(!p0000)(!i0088)master\x2Ecom/smiH
/(!p0000)www\x2Eproofile\x2Ecom/smiH
/\x2Fcs\x2Fpop4\x2F((frame_ver2)|(UI2))\x2Ehtml/Ui
/^Rabio\x3a[^\r\n]*search\x2D(!i0081)r/smi
/(!p0000)www\x2Epurity(!i0070)/smiH
/\x2Fmartuz\x2Ecn\x2Fvid\x2F\x3Fid\x3D\d+/smi
/(!p0001)adfsgecoiwnf/smiH
/(!p0000)down\x2Epprich\x2Ecom/smiH
/(!p0000)ddduser(!i0034)/smiH
/(!p0027)(((!i0069)\x2Easp)|(survey\x2Easp\x3FnUserId=))/Ui
/(!p0001)NetGuarder\x20+WebCleaner/smiH
/(!p0000)adblock\x2Elinkz\x2Ecom/smiH
/(!p0000)www\x2Eyoogee\x2Ecom/smiH
/(!p0001)Asynchronous\x20+(!i0026)\x20+CLASS/smiH
/(!p0000)download(!i0045)/smiH
/(!p0000)www\x2Eadoptim\x2Ecom/smiH
/(!p0000)sda(!i0043).*User-Agent\x3A[^\r\n]*ed2k/smiH
/(!p0000)cojud(!i0019)/smiH
/(!p0000)www\x2Emyarmory\x2Ecom/smiH
/(!p0000)(!i0068)on\x2eco\x2ekr/smiH
/(!p0036)trusty(!i0061)/smiH
/(!p0000)(!i0074)quick\x2Ecom/smiH
/(!p0000)www\x2Emaxi(!i0061)/smiH
/(!p0000)www\x2Emxs\x2Eco\x2Ekr/smiH
/(!p0000)www\x2Eez-greets\x2Ecom/smiH
/(!p0000)media\x2Etop-banners\x2Ecom/smiH
/(!p0005)www\x2efuck\x2dportal\x2ecom/smiH
/(!p0015)[^\r\n]*WakeSpace/smiH
/(!p0001)AdwareAlert/smiH
/(!p0013)searchwords\x2Ecom/smiH
/(!p0000)www\x2Eccnnlc\x2Ecom/smiH
/\x2F(!i0080)\x2F\d+\x2F(!i0000)\x2Fsupremetb\d+\x2Ecfg/Ui
/(!p0000)widget\x2ealot\x2ecom/smiH
/(!p0027)[\z617a\z415a\z3039_\x2d]*\x2Easp\x3Fbrand=/Ui
/(!p0000)dddrep(!i0034)/smiH
/(!p0000)www\x2Elocmag\x2Ecom/smiH
/(!p0001)(!i0015)\x20+URL\x20+(!i0025)\x20+-/smiH
/\x2F(!i0041)\x2Fspyblocs\x2F(spyblpat\d*\x2Edat\x2E\d+)|(spyblini\x2Eini)/UiH
/(!p0000)(!i0068)fiesta\x2Ecom/smiH
/update/barcab/.*?tn=.*id=.*version=/smi
/(!p0000)related\x2Eyok\x2Ecom/smi
/\x2fAdpic\x2f\d+\x2f\d+ad\x28\d+\x2c\d+\x2c\d+\x2c\d+\x29\x2ejpg/Ui
/(!p0000)spybl\x2Ecyberdefen(!i0005)/smiH
/(!p0001)RX Bar\x20+(ver=)?/miH
/(!p0000)web(!i0003)drsnsrch\x2Ecom/smiH
/(!p0000)dcww(!i0019)/smiH
/(!p0001)vb\x20+(!i0026)/smiH
/(!p0036)aresflashdownloa(!i0005)/smiH
/(!i0049)\x20*\x3A[^\r\n]*SAH Agent/miH
/(!p0000)(!i0082)228\x2ecn/smiH
/(!p0000)clear(!i0003)com/smiH
/(!p0000)www\x2emeta(!i0087)net/smiH
/(!p0000)(!i0022)expert\x2Ecom/smiH
/(!p0001)vb\x20+(!i0026)/smiH
/(!p0000)uplink\x2Eco\x2Ekr/smiH
/(!p0001)DeepdoUpdate/smiH
/(!p0000)pop\x2Epopuptoast\x2Ecom/smiH
/(!p0001)(!i0018)/smiH
/\x2Fgumblar\x2Ecn\x2Frss\x2F\x3Fid\x3D\d+/smi
/(!p0001)CPUSH\x5f(!i0084)/smiH
/(!p0001)AD[^\r\n]*(!i0029)/smiH
/(!p0000)wwws\x2Ehenbang\x2Enet/smiH
/(!p0000)(!i0003)rediff\x2ecom/smiH
/\x2Fbonzibuddy\x2F(updates|(!i0041)|daily)\x2Enbd/Ui
/(!p0001)(!i0048)/smiH
/\x5Chome\x2Flordofsearch[^\r\n]*\x2Ehtml/smi
/(!p0037)www\x2Eblazefind\x2Ecom/smiH
/^rnto\x20[^\s\x0d\x0a]*\x2e\x2e(\x2f|\x5c)/i
/\x20LOGIN\x20\w+\x20\x7B\d+\x7D[\r]?\x0A[^\n]*?%/smi
/\x20SEARCH\x20\w+\x20\x7B\d+\x7D[\r]?\x0A[^\n]*?%/smi
/name=[^\r\n]*?\x2E(mim|uue|uu|b64|bhx|hqx|xxe)/smi
/^552[\z415a\z3039\s\x5F\x2D\x2E\x28\x29\x22\x27]+Headers\x20+too\x20+large/smi
/^Content-(!i0017)\x20*\x3A\x20*base64/smi
/(!p0017)\x20*\x3a\x20*(!i0086)\x2fPartial/smi
/id\x20*=\x20*[\x22\x27]?[^\x22\x27\n]*..[\x2f\x5c]/smi
/.*<[^>]*href[^>]*(file\x3A|[cC]\x3A|\x5C\x5C).*>)/
/(!p0048)QklHMkRlY29kZ[QRSTUVWXYZabcdef][\z415a\z617a\z3039_\x2f][\z415a\z617a\z3039_\x2f]/
/(!p0048)YXZhU2NyaXB0/
/SmF2YVNjcmlwd[ABCDEFGHIJKLMNOP][\z415a\z617a\z3039_\x2f][\z415a\z617a\z3039_\x2f]/
/[\z415a\z617a\z3039_\x2f][EUk0]phdmFTY3Jpcc[QRST][\z415a\z617a\z3039_\x2f]/
/^Content-Dis(!i0076)\x3A\x20*attachment/smi
/^GateCrasher\x20+v\d+\x2E\d+\x2C\x20+Server\x20+On-Line\x2E\x2E\x2E/smi
/^001\xACOptix\x20+Pro\x20+v\d+\x2E\d+\x20+(!i0004)ed\x20+Successfully\x21/smi
/^stAlvgus\x27s\x20+Trojan\x20+Server\x20+2000/smi
/^ForCed\x20+EnTrY\x20+\d+\x2E\d+\x2E\d+\x0D\x0A\x0D\x0A\x0D\x0A(!i0004)ion\x20+Stable/smi
/^diGetting\x20+content\x20+of\x20+directory\x3A/smi
/You\x20+are\x20+now\x20+(!i0004)ed\x20+to\x20+an\x20+BackAtTaCk\x20+server/smi
/One\x20+more\x20+step\x20+until\x20+(!i0004)ion\x2E/smi
/(!p0041)FeaR\x25200\x2E2\x2E0\x2520Online\x3A\x2520\x5BIP_\d+\x2E\d+\x2E\d+\x2E\d+\x5D\x2520\x5BPort_/smi
/(!p0032)\x20+to\x20+[^\r\n]*\x28\d+\x2E\d+\x2E\d+\x2E\d+\x29/smi
/(!p0001)SiLENT\x20+SPY/smiH
/H02EXE\x20+File\x20+Name\x3A\x20+CYBERPAKY\x0D\x0AOperating\x20+System/smi
/^R_Server\x20+(!i0007)\x3A\d+\x2E\d+[^\r\n]*R\d+\x2E\d+/smi
/(!p0006)[^\r\n]*NetBus\x20+server\x20+is\x20+up\x20+and\x20+running/smi
/Schwindler\x20+Servidor\x2E\x20+Porta\x20+\d+/smi
/^\x2FNFO\x2C(!i0069)ed\x20+Owner\x3A\x20+[^\r\n]*\x0D\x0A(!i0054)\x20+user\x3A\x20+/smi
/(!p0051)gin_ok\x5EMiniCommand\x20+(!i0007)\x20+\d+\x2E\d+\x2E\d+\x20+ready\x20+for\x20+action\x2E/smi
/(!p0020)\d+\x2E\d+\w+\x20+(!i0079)/smi
/(!p0041)(!i0060)Optix\x20+Pro\x20+v\d+\x252E\d+\S+sErver\x20+Online(!i0060)/smi
/^\xad\x86\x01\x00\x08\x00\x00\x001\x5EMerlin/smi
/^psswd((ok\x2A\x2D\x2A(!i0011)\x20+OK\x0D\x0A)|(error\x2A\x2D\x2AWrong\x20+(!i0011)\x0D\x0A))/smi
/^\d+\x2d\x20+(!i0078)\x20+To\x20+EvilFTP\x20+\x3a\x29\x0D\x0A/smi
/(!p0006)[^\r\n]*Im\x20+Online\x20+\d+\x2E\d+\x2E\d+\x2E\d+/smi
/^FROM|3A|\x20+HTTP_RAT_.*(!i0006)|3A|\x20+there\x20+is\x20+a\x20+HTTPRAT\x20+waiting\x20+4\x20+u\x20+on/smi
/\x2Ffriendship\x2Femail_thank_you\x3F[^\r\n]*nick_(!i0059)Test[^\r\n]*friend_nick(!i0059)Notify-Tezt/Ui
/(!p0046)n\d+\x3A[^\r\n]*\x3A\d+\x3A\d+\x3A/smi
/(!p0012)ervice\x3A/smi
/^We\x20+got\x20+this\x20+GREAT\x20+Daemon.*F(!i0053)l\x20+Daemon/smi
/^\x20\x20rad\x20\d+\x2E\d+\x2E\d+\x20\x20\x3E\x3C/smi
/We\x20+got\x20+this\x20+GREAT\x20+Daemon.*F(!i0053)l\x20+Daemon/smi
/(!p0008)[^\r\n]*IP\x20+(!i0077).*X-Mailer\x3A[^\r\n]*EBT\x20+Reporter.*(!i0006)\x3A[^\r\n]*Vic\x20+Ip\x20+Addy/smi
/\x23\x31\x23aComprobar\x20+si\x20+esta\x20+conectadoa\x232\x23\x233\x23\x23f\x23/smi
/^RTB\x20+666\x20+v\x2E\d+\x2E\d+\x3B\x20+Firewall\x20+Guarded\x20+Port\x2E\x20+Your\x20+IP\x20+is/smi
/^Exploiter\x20+Server\x20+\d+\x2E\d+\x20+\x2E\x20+Port\x20+\d+/smi
/(!p0008)[^\r\n]*cyber@yahoo\x2Ecom.*(!i0006)\x3A[^\r\n]*notification\d+\x2E\d+\x2E\d+\x2E\d+/smi
/(!p0046)\x7CServer\x7C[^\r\n]*\x7C\d+\x2E\d+\x2E\d+\x2E\d+\x7C/smi
/(!p0001)http\x20+protocol/smiH
/^ver\x3aGhost\x20+(!i0007)\x20+\d+\x2E\d+\x20+server/smi
/^GirlFriend\x20+Server\x20+\d+\x2E\d+\x20+\x2E\x20+port\x20+\d/smi
/(!p0046)n[^\r\n]*\x2F[^\r\n]*\x0D\x0A\d+\x0D\x0A/smi
/^\x22Wollf\x20+Remote\x20+(!i0055)\x22\x20+v\d+\x2E\d+\x0d\x0a/smi
/^\x3B(!i0027)sStatus\x3B(All|Active|Inactive)(!i0027)s/smi
/^hRat\x20+are\x20+ready\x20+-\x3E\x20+Server\x20+(!i0007)/smi
/\x3Cchat\x3E[^\r\n]*\x3C\x2Fchat\x3E/smi
/^IDENTIFY\x20+\x23\x20+\d+\x2E\d+\x2E\d+\x2E\d+\x20+\x23\x20+/
/(!p0008)[^\r\n]*Amitis\x20+1\x2E3.*(!i0006)\x3A[^\r\n]*Server\x20+(!i0050)/smi
/(!p0043)nt\x20+Remote\x20+(!i0025)\x20+(!i0027)/smi
/(!i0078)\x20+to\x20+the\x20+Omniquad\x20+File\x20+Transfer\x20+Server/smi
/(!p0035)\d+\x2E\d+\x2E\d+\x2E\d+\x5E/smi
/^\x7C(!i0004)ed with\x3A\x20+\d+\x2E\d+.\d+.\d+/smi
/(!p0026)theme\x2Ephp\x3F[^\r\n]*iz=/Ui
/(!p0026)feed\x2Ephp\x3F[^\r\n]*ix=/Ui
/ShadowNet\x20+Remote\x20+Web\x20+Based\x20+Spyware/smi
/^\x3c\x41\x20.*\x3b\x5c\x5c.*\x5cSV\x24\x5c\x3e\x3c/smi
/(!p0031)\x3a[^\r\n]*Root[^\r\n]*kit[^\r\n]*Scaner/smi
/(!p0020)1\x2E0b3\x20+(!i0079)/smi
/(!p0022)Troya\x20+\x2D\x20+by\x20+Sma\x20+Sof(!i0063)/smi
/\x7C\d+\x2E\d+\x2E\d+\x2E\d+\x7C.*\x7CYuri\x20+v1\x2E\d+\x7C/smi
/(!p0001)ZOMBIES\x5fHTTP\x5fGET/smiH
/^MAININFO\x7C(!i0011)\x7CENU\x7CMy\x20+server\x20+\x3AD\x7C/smi
/(!p0001)HTTP(!i0029)/smiH
/\x2finst\x2fsetup\x5f\d+\x5f\d+\x5f\x2eexe/Ui
/(!p0000)(!i0010)/smiH
/(!p0005)http\x3A\x2F\x2F(!i0010)\x2F\x3FVFJDSz0/smiH
/(!p0012)TATUS\x3A/smi
/(!p0031)\x3A\x20+Guptachar\x20+\d+\x2E\d+/smi
/\x2C\x3A\x2C\x6A[^\r\n]*\x47\x2C\x6F\x2C\x2C\x79\x2C/
/(!p0001)devSoft\x27s\x20+ipwHTTP\x20+Component/smiH
/(!p0031)\x20+info\x3A\x0D\x0ADelta\x20+Source\x20+v\d+\x2E\d+/smi
/(!p0005)www\x2ezabeedly\x2ecom\x2f(!i0003)php\x3fq\x3d/smiH
/os\x3d.*\x26ver\x3d.*\x26idx\x3d.*\x26user\x3d.*\x26ioctl\x3d.*\x26data\x3d.*/smi
/(!p0018)[^\r\n]*winssco\x2eexe/iH
/(!p0035)\x5E\d+\x2E\d+\x2E\d+\x2E\d+\x5E/smi
/(!p0037)((up\d+)|(adserv))/Hmi
/\x2flevel\x2f\d+\x2f(exec|configure)/iU
/<a\x3a\x20*propfind.*?xmlns\x3a\x20*a=[\x21\x22]?DAV[\x21\x22]?/iR
/(!p0003)OmFkbWlu/smiH
/(!p0003)YWRtaW46cGFzc3dvcmQ/smiH
/(!p0028)(\x20*|\x20*\x0D?\x0A\x20+)[^\n]*?login=0/smiH
/(!p0003)=/smiH
/(!p0003)=/smi
/(!p0014)-\d+/smi
/(!p0014)(-1|4294967295)/smi
/img.pl\x3f[^\r\n]*f=[^\x26\r\n\x2e]*\x2e\x2e/Usmi
/(!p0010)%(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi
/(!p0011)(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi
/(!p0010)(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi
/(!i0004)edNodes.ovpl[^\r\n]*node=[^\r\n]*(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi
/(!p0011)%(\x2c|\x24|\x7c|\x3b|\x22|\x26|\x3c|\x3f)/Usmi
/(!p0025)[^\x22]*\x3b\x20*system\x20*\x28/smi
/(!p0050)xystylesheet=[-\z617a\z3039_\.]*[^-\z617a\z3039_\.&\s]/sUmi
/action(=|\x3f)[^(\n|&)]*\x3c[^(\n|&)]+\x3e/Ui
/(!i0067)(=|\x3f)[^(\n|&)]*\x3c[^(\n|&)]+\x3e/Ui
/[^\x26\x20\x0a]*insert[^\x26\x20\x0a]*Login[^\x26\x20\x0a]*Admin/smi
/(!i0011)(=|\x3f)[^(\n|&)]*\x3c[^(\n|&)]+\x3e/Ui
/^Host\x3a[\z617a\z3039\x20\-\.\x3A\t]*[^\z617a\z3039\x20\-\.\x3A\t\r\n]/msiH
/ldap\x3A\x2F\x2F[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)/smi
/^[\z617a]+\x20+https\x3a\x2f\x2f[^\x2f\x3a\x25\s]*\x25[sn]/i
/^(GET|POST)\x20+[^\x0a]*?\x2fprn\x2e(htm|html|asp|cgi)/i
/\x3C\x3Fxml[^\>]+encoding\x20*\x3D\x20*(\x27|\x22)[^\'\"\>\%]*\x25/
/(!p0024)\x2F\x2E\x2E\x2F\x2E\x2E\x2F[^\n]*?HTTP/i
/(!p0024)\x5C\x2E\x2E\x5C\x2E\x2E\x5C[^\n]*?HTTP/i
/\x3c[^\x3e]+(\x22|\x27)?cai\x3a[^\x3e]*(\x22|\x2522)[^\x3e\x22]*-launcher/smi
/\x80(\x84|\x85\x00|\x86\x00\x00|\x87\x00\x00\x00)\xFF\xFF\xFF\xFF/smi
/\x3F[^\x3F]*\x3F[^\x3F]*\x3F[^\x3F]*\x3F[^\x3F]*\x3F/U
/ftp\x3A\x2F\x2F[\w\x2E\x2F]+[^\x2F]\x3Btype=D/i
/(!p0045)che-(!i0025)\x3A\x20*(max-(age|stale)|min-fresh|s-maxage)\x20*\x3D[^\d]+\x0A/smi
/\x28\x20*(\x27[^\x27]*\x27|\x22[^\x22]*\x22)\x20*,\x20*(\x27[^\x27]*\x2E\x2E[\x5c\x2f]|\x22[^\x22]*\x2E\x2E[\x5c\x2f])/si
/(form|module|report)\x20*=\x20*(\x2e\x2e|\x2f|[\z617a]\x3a\x5c)/i
/SYS\x2eDBMS\x5fAQADM\x5fSYS\x2eGRANT\x5fTYPE\x5fACCESS\x20*\x28\x20*\x27[^\x2c\x20\x27]*[\x2c\x20]/is
/(!i0017)\x3a\x20*chunked.*\x0A\x0D?\x0A/smi
/XDB\x2EXDB_PITRIG_PKG\x2EPITRIG_(DROP|TRUNCATE)\x20*\x28[^\x29]*\x27[^\x27]*\x22/smi
/(\x3F|\x26)[^\x3D]*\x27[^\x3D]*\x3Cscript\x3E/smi
/(!p0034)\x27[^\x27]*\x27\x20*[^\s\x2c\x29]/iR
/^(GET|POST|HEAD)\x20+[^\x25]*\x25[\x23\x24\x27\x2a\x2b\x2d\x2ehlqjzt1234567890]*[diouxefgacspn]/i
/(!p0034)\x27[^\x27]*?\x27\x20*[^\x2c\x29]/R
/(!p0034)\x27[^\x27]*\x27\x20*[^\x2c\x29]/R
/^\x20*\x28[^\x2c]+\x2c\x20*\x27[^\x27]*\x3b/R
/(!p0038)sso\x2Fjsp\x2F(!i0058)\x3F[^\s\x0D\x0A]*site2pstoretoken\x3D[^\x26\x0D\x0A]*(\x22|\x2522)/smi
/other=[^\x26]*[\z2124\x27\z282a\x2d\x2f\x3b\x3c\x3e\x3f\x40\z5b5d\z7b7e]/U
/(!p0034)(\x27[^\x27\x22]*\x27\x20*\x2c\x20*)?\x27[^\x27\x22]*\x22/R
/DBMS_ASSERT\x2Esimple_sql_name\x28[^\x29\x22]*?\x22/smi
/^[\z415a]+\x20+\x2Fsetup\x2Fsetup-.*?\x2E\x2E\x2F/mi
/(!p0023)i(!i0066)\x3Flogout\x3Dtrue.*\x2E\x2E\x2F/mi
/(!p0023)\x2Egif.*\x2E\x2E\x2F/mi
/(!p0023)error-serverdown\x2Ejsp.*\x2E\x2E\x2F/mi
/(!p0023)setup\x2F\x69(!i0066).*\x2E\x2E\x2F/mi
/(!p0023)(!i0058).*\x2E\x2E\x2F/mi
/(!p0023)\x2Epng.*\x2E\x2E\x2F/mi
/(!p0001)beagle_beagle/smiH
/tip\x3D[\z617a\z415a]+\x26cli\x3D[\z617a\z415a]+\x26tipo\x3Dcli\x26inf\x3D/smi
/(!p0032)\x2e[^\x0D\x0A]*20\d\d[^\x0D\x0A]*ver\x3A\x20+Legends\x202\x2e1/smi
/(!p0015)\x20+Ryeol\x20+HTTP\x20+Client\x20+Class/smiH
/^\x2Fcap\x2Ftemp\x2F[\z415a\z617a\z3039]+\x2Ejpg/miU
/SELECT\x20*(TO_(DATE|CHAR)|(VARCHAR|TIMESTAMP)(!i0091))\x20*\x28'[^']*'\x20*,\x20*''\x29/smi
/\x3d\x00\x12\x00..........(.[\z80ff]|...[\z80ff])/smiR
/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\x2E(cmd|bat)/smi
/^\x20*[^\x3e]*src\x20*\x3d\x20*[\x22\x27][^\x22\x27]*(!i0052)/iR
/\x0D\x0A?(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/
/evtdump\x3f.*?\x2525[^\x20]*?\x20HTTP/i
/db4web_c(\x2Eexe)?\x2F.*(\x2E\x2E[\\|\/]|[\z617a]\x3A)/smiU
/\x2fwiki[^\n]*\x3fuselang=[^\n\x26\x3f]*[\z617a\z415a\x2d]/Usmi
/^USER\x20+(anonymous|ftp)[^\w]*[\r\n]/smi
/(!p0018)[^\n\r]+WebshotsNetClient/smiH
/(!p0018)[^\n\r]+Google[^\n\r]+(!i0080)/smiH
/(!p0042)[^\r\n]+?\x2E(com|dll|exe|js|vbs)/smi
/(!p0002)\x3a[\x20\x09]+(!i0008)octet-stream/smiH
/(!p0002)\x3a[\x20\x09]+(!i0008)x-msdos-program/smiH
/<\x20*object[^>]*?data\x20*\x3A[^,>]*?base64/smi
/exec_sdbinfo\x20+[\x26\x3b\x7c\x3e\x3c]/i
/CHAR\x28.*?CHAR\x28.*?CHAR\x28.*?CHAR\x28.*?CHAR\x28/smi
/s\x00e\x00t\x00(\x20\x00)+a\x00n\x00s\x00i\x00_\x00p\x00a\x00d\x00d\x00i\x00n\x00g\x00(\x20\x00)+o\x00f\x00f\x00/smi
/(update|exec|insert|union)[^\/\\]*\/\*.*\*\/]/Uis
/sipark-log-summary\x2Ejsp\x3F((!i0067)|numa(a|b)|type)[^\s]*\x20/Umi
/(!p0021)/Pi
/(!p0021)/Ui
/new\x20*ActiveXObject\x28\x20*(!i0012)/smi
/[\?\x20\x3b\x26]module=[\z617a\z415a\z3039]*[\x3b\x26]/Ui
/(!p0025)[\z415a]\w*[^\x22]/smi
/\x2Fwordpress\x2F\x3F[^\r\n]*cat\x20*=\x20*[^\r\n\x26]*\x2F\x2E\x2E/smi
/shoutbox_view.php\x3F[^\r\n]*mode\x20*=\x20*(delete|edit)[^\r\n]*id\x20*=\x20*[^\r\n\x26]*[^\d]+/Usmi
/(!p0002)\x3A\x20+multipart\x2Fform-data/smiH
/tag_board.php\x3F[^\r\n]*action=delete[^\r\n]*id=[^\r\n\x26]*(select|insert|delete)/Usmi
/^CSeq\x3A[^\r\n]+[\z0108\x0B\x0C\z0E1F\z80FF]/smi
/(!p0002)\x3A\x20+(!i0008)sdp/smi
/(!i0033)\x3A[^\r\n]+?(!i0071)=[\z0009\x0B\x0C\z0E7F]*[\z80FF]/smi
/(!p0045)NCEL\x20+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\x20+(!i0024)/smi
/(!p0047)[^\r\n]+[\z0108\x0B\x0C\z0E1F\z80FF]/smi
/(!p0040)[^\r\n]+[\z0108\x0B\x0C\z0E1F\z80FF]/smi
/^(!i0077)\x3A[^\r\n]+[\z0108\x0B\x0C\z0E1F\z80FF]/smi
/(!p0008)[^\r\n]+[\z0108\x0B\x0C\z0E1F\z80FF]/smi
/(!p0040)\x20*(!i0024)\x2F(TC|UD)P\x20+[^\r\n%]*%/smi
/^c=([^I]|I[^N]|IN[^\s]|IN\x20+[^I]|IN\x20+I[^P]|IN\x20+IP[^46])/smi
/(!p0002)[^\r\n]+[\z0108\x0B\x0C\z0E1F\z80FF]/smi
/(!p0047)\x20+%25%32%35%25%33%32%25%33%35%25%32%35%25%33%33/smi
/^BYE\x20+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\x20+(!i0024)/smi
/(!p0045)ll-ID\x3A[^\r\n]+[\z0108\x0B\x0C\z0E1F\z80FF]/smi
/^INVITE\x20+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\x20+(!i0024)/smi
/^Remote-Party-ID\x3A\x20+[^\r\n]+\x40[^\r\n]*?[\z80FF]/smi
/^\x02[^\x0a\x20]*\x60[^\x0a\x20]*?\x0a/smi
/\x09\x08\x10\x00\x00[\x00\x01\z07ff]/sm
/(idx1|movi|str[ndfhl]|avih|hdr1|LIST|JUNK)/
/\x3fcdpnode\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i
/\x3fnode\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i
/\x3fnetid\x3d[^\x3b\x26]+[\x27\x24\x7c\x22\x25\x3c\x3e]/i
/\x0a\x0d?\x0a[\z415a\z3039\x2b\x2f\s]*[^\z415a\z3039\x2b\x2f\s\x3d]/iR
/\x3Ca\x20+[^\x3E]*href\x20*\x3D\x20*(\x22|\x27)?skype\x3A[^\s\x3E]*[\z0107]/i
/^\x30(\x84....|\x82..|[^\z80FF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/
/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR
/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR
/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR
/\x5c\x00\x5c\x00[^\x5c]*\x5c\x00\x00\x00/
/(!p0006)[^\r\n]*don't\x20be\x20late!/smi
/(!p0008)[^\r\n]*(!i0037)<webmaster@trojaner-info\x2Ede>/smi
/(!p0006)[^\r\n]*(!i0037)\x20Newsletter/smi
/spell\x2EcustomD(!i0053)ryOpen\x5C\x28(\x20*\d|[^\x2C]+\x2C\x20*[\z415a\d_])/smi
/getAnnots\x5C?\x28[^\x29\x2C]+\x2C\x20*[^\x29\x2C]+\x2C\x20*[^\x29\x2C]+\x2C\x20*-\d/smi
/(C|#43)(o|#6F)(l|#6C)(o|#6F)(r|#72)(s|#73)\x20*1073741838/smi
/\x2EgetElementsByTagName\x28[^\x29]+?\x2EremoveNode\x28true\x29/smi
/on(before|de)activate\x20*\x3d\x20*(!i0020)\x20*\x28\x29\x20*\x7b\x20*call(back|malFunc)\x28\x29/i
